Source: 2026-04-20 multi-expert AADM audit. Security auditor.
Problem
tooling/.github/workflows/security.yml runs only Semgrep with --config=auto. There is no:
- Secret scanning (gitleaks/trufflehog).
- SCA / dependency audit (
pip-audit, npm audit, Dependabot).
- IaC scanning (Trivy, Checkov).
- SBOM.
- License scan (license contamination from training data is unaddressed).
Threat: Claude generates code pulling a typosquatted package, or a pasted secret lands in a commit.
Fix (only ship if a regulated client is in the pipeline)
Add as separate jobs in tooling/.github/workflows/security.yml:
- gitleaks
- dependency-review action (npm/pip audit)
- Trivy or Checkov for IaC
- License allowlist scan
Acceptance
A planted secret in a test branch fails CI. A typosquatted dependency fails CI. An unapproved license fails CI.
YAGNI gate
Same as #8 — don't ship until a regulated buyer is in the pipeline.
Source: 2026-04-20 multi-expert AADM audit. Security auditor.
Problem
tooling/.github/workflows/security.ymlruns only Semgrep with--config=auto. There is no:pip-audit,npm audit, Dependabot).Threat: Claude generates code pulling a typosquatted package, or a pasted secret lands in a commit.
Fix (only ship if a regulated client is in the pipeline)
Add as separate jobs in
tooling/.github/workflows/security.yml:Acceptance
A planted secret in a test branch fails CI. A typosquatted dependency fails CI. An unapproved license fails CI.
YAGNI gate
Same as #8 — don't ship until a regulated buyer is in the pipeline.